Security in PHP

Hey guys,

Can you please help me out by listing some security things that I would have to watch out for when making a website in PHP, and possible methods to fix/stop the problem.

For example, I know about SQL injection, and to stop that I just had to make sure I add slashes to all entries to a DB.

What other security issues are there, and how do I stop/fix them?

All data input.

Rule #1 of all programming: never trust the user. Like in Million Dollar Baby: always protect yourself. Keep repeating it to yourself until you realise this.

Limit everything by allowing only what they should be entering. So, if you have a simple box that allows them to insert a date, then perform simple checks using regex to make sure it's the date. Having said such, it may not have a devistating effect on many things, but it does mean it's one less problem.

Also, always make sure on every page you're checking the user's info to see whether they can access the page. The security thread has more info on the subject.

I like to try to stay away from text input as well. It's a lot easier to 'clean' form input from a select, checkbox, etc then it is to clean a text field.

It isn't always possible, but the harder you make it for users to enter incorrect data the easier it will be to secure your web app.

Every input is a text box when it comes down to it. Even though your form may use selects and check/radio buttons, it doesn't mean a malicious user has to use your form.

There are many many issues to be concerned about. Read the Security thread at the top of this forum. You'll get a lot of good ideas out of there. Other than that, search the web. Chris Shiflett writes a lot of good articles on PHP/web security. Read some of the stuff he's written and you'll be ahead of a lot of others.

---John Holmes...

Absolutely correct sir, but at least with the other types of input you know the exact form data you should be looking for as well as the method.

There are also a lot of good articles at phpsec.org, I highly recommend Chris Shiflett's PHP Security Workbook here.

Valiate all user input some how.
If you are expecting a number back use " settype($var,"integer"); " where $var is the name of your variable to force it to be a number.

or just use a cast:

$var = (int) $var;

You can also use things like is_num(), is_int(), is_bool() etc to test if a variable is a certain type.

You should read the sticky. There's some useful information in there. If it's not mentioned in there, you should read the PHP Manual's section on Security, it covers SQL injection, and then there's just stuff like never outputting user input variables without validating them first.

Thanks guys, I'll do what you all suggested